MPs' personal details exposed online

The email addresses of Leicester's MPs have been leaked to dark web marketplaces where people illegally buy and sell data.

Claudia Webbe (L), Liz Kendall (C) and Jonathan Ashworth (R)
Claudia Webbe (L), Liz Kendall (C) and Jonathan Ashworth (R) are all currently seeking re-election. Photograph: House of Commons

In our investigation, we searched the dark web for both official and personal email addresses associated with each member of parliament (MP) in Leicester. We found several instances of serious data breaches.

The fact that these emails, which are publicly available, are on the dark web is not evidence of a security failure or 'hack'. But rather, analysis strongly suggests that politicians signed up to third-party services using their email addresses, which were later breached by malicious actors. Our investigation involved using dark web monitoring services and verifying the leaks directly.

The dark web is online content that is not typically indexed by major search engines, like Google. Tools like TOR Browser can be used to access these areas of the internet and stay anonymous online, which is why many consider it a place where online marketplaces for drugs, exchanges for stolen data, and other illegal activities happen. However, there are legitimate reasons people, like whistleblowers and journalists, choose to use the dark web.

Among Leicester's MPs, some passwords were exposed alongside personal email accounts. If a politician used one of these leaked passwords to protect their official parliamentary email accounts, these accounts also could be at risk. The types of sensitive data that could be exposed ranges from official secrets to the personal information of MPs' friends, family, and colleagues.

The biggest victim of widespread data leaks was Claudia Webbe, independent MP for Leicester East. In total, 27 third-party services she signed up to under her personal email address had been compromised. Fashion labels, cloud services, social media, forums, blogging tools, geological websites, and messaging apps were among the leaks.

Ismini Vasileiou, associate professor of information systems at De Montfort University, said:

“Third-party data breaches are becoming more and more common when sharing personal info on websites. Often, politicians and people with high-profile job roles don't know when to use their work address and when to use their personal address. The discovery that a Leicester MP's email was implicated in 27 separate third-party data breaches highlights a severe cybersecurity vulnerability. Such extensive exposure significantly increases the risk of sensitive information being accessed and misused by malicious actors. Each breach represents a potential gateway through which hackers can gain insights into personal habits, communication patterns, and even confidential information. 

“The fact that so many breaches involve diverse platforms — from fashion labels and cloud services to social media and messaging apps — indicates a widespread neglect of security practices. This negligence poses a critical threat not just to personal privacy, but also to the integrity of official communications and parliamentary functions.

“The implications of being linked to numerous breaches extend far beyond immediate privacy concerns. If compromised passwords from these breaches are reused for official accounts, the security of parliamentary systems could be directly threatened. Such incidents highlight now more than ever the need for robust cybersecurity measures, including the use of unique passwords, multifactor authentication, and regular security audits. The magnitude of these breaches can serve as a reminder that even seemingly minor lapses in personal digital hygiene can have far-reaching consequences. It is imperative for all public officials to prioritise cybersecurity to protect not only their own information, but also the sensitive data they handle in their professional capacities.”

Likewise, Jonathan Ashworth and Liz Kendall, Labour MPs for Leicester South and Leicester West respectively, were named in some of the world's largest data breaches, including the 2017 Online Spambot dump and 2019 leak. The names, job titles, phone numbers and physical addresses of Ashworth's contacts were likely exposed in a 2020 data leak from a third-party service provider, as were Webbe's in the same attack.

In response, Webbe said: “In terms of my own data security practices, no personal passwords were ever re-used for my parliamentary email address or system access. However, the findings, whilst alarming but not surprising, emphasise the need for effective action against malicious actors on the dark web.

“Plans for ‘online harm’ protection laws have focused on the everyday web that we all use, but it’s clear that the area the government and parliament should also be focused on is the dark web and the criminals and unscrupulous individuals, who use it for illegitimate access and gain.

“We need stronger powers and protections to keep everyone safe from those who use the ‘dark web’ to target political and personal data and systems.”

Liz Kendall and Jonathan Ashworth did not respond in time for publication.

We only tested six email addresses across Leicester's three MPs, three of which were parliamentary and three personal. There may be other email addresses involved in data breaches that we are unaware of.

According to a similar investigation by tech company Proton, over two-thirds of UK MPs have had their data leaked to the dark web, including those who are supposed to look after the UK's cybersecurity. An alarming 443 out of 650 MPs have had some sort of personal details exposed in a hack or a breach, similarly gathered from third-party services MPs have signed up to using their parliamentary email address.

The UK has repeatedly been targeted by cyberattacks, including at Leicester City Council, where ransomware group INC Ransom stole 3 TB worth of data before publishing some of it on the dark web. It affected phone lines, email services and even street lights.

In a 3 April update, Richard Sword, the strategic director of city developments and neighbourhoods at Leicester City Council, confirmed that “a small number of documents held on our servers have been published by a known ransomware group.” The hack included rent statements, applications to purchase council housing and “identification documents such as passport information.” All individuals impacted were contacted by the council. The incident was referred to the Information Commissioner, Leicestershire Police and the National Cyber Security Agency.

At the time, Vasileiou said the criminal uses for the data “can go in any direction. We don't know how they're packaging the data to be resold elsewhere. That unknown scares any user, Leicester City Council, and [is] why we are taking it very seriously.”

Since its emergence in July 2023, INC Ransom has attacked multiple public authorities and government bodies. Shortly before the attack against Leicester City Council, they targeted NHS Dumfries and Galloway. So far, no ransom has been paid — but the group may be motivated by more than just profit, which some analysts suggesting INC may be drawn to cause as much damage to institutions as possible, for whatever reason.

It's important that new MPs take their cybersecurity seriously and follow strict security best practice with the upcoming general election in the UK. This could include using email aliases, unique passwords for every website, and enabling two-factor authentication, among other things.

Before writing this article, The Gazette told everyone who was impacted that their private information was on the internet. We directed them to resources on how to stay safe online.

  • To learn more about protecting yourself online, visit the National Cyber Security Centre's website here. If you suspect your personal data has been exposed, you can report a cyber incident here.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Great Central Gazette.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.